[-- Attachment #1: Type: text/plain, Size: 1805 bytes --]
Hi,
I appreciate this is a bit of a noob question not directly related to WireGuard and has been covered before, but I’m just hoping for a bit of advice and clarity. I’ve got a WireGuard tunnel up and running nicely between my MBP laptop and my Debian server at home and am hoping to use it as a VPN while travelling.
However I’ve found an issue when my laptop is behind work firewalls which block UDP, and not wanting to be encountering this issue overseas have been looking at tunnelling options. I have been using a SOCKS proxy generated with OpenSSH up until now, but it’s difficult to route all my laptop’s traffic via the proxy.
I’m aware of SSF (https://securesocketfunneling.github.io/ssf <https://securesocketfunneling.github.io/ssf>) and udp2raw (https://github.com/wangyu-/udp2raw-tunnel/blob/master/doc/openvpn_guide.md <https://github.com/wangyu-/udp2raw-tunnel/blob/master/doc/openvpn_guide.md>) which has been covered on this list before (https://lists.zx2c4.com/pipermail/wireguard/2018-May/002915.html <https://lists.zx2c4.com/pipermail/wireguard/2018-May/002915.html>) but just wonder if anyone could comment on the specific security implication of using minimal or no security on the TCP tunnel mechanism (which seems poorly implemented by udp2raw particularly), and relying on the underlying WireGuard encryption? Or is this crazy? Is there any other satisfactory Unix-based mechanism to tunnel UDP over TCP?
I feel like if I run a WireGuard tunnel through an encrypted SSF tunnel I may as well just be using SSF by itself, however the ease of setting the default route on my laptop with wg-quick is a great feature and I am very impressed by the quality of WireGuard and the focus on security so would like to continue using it if possible.
Thanks,
Ryan
[-- Attachment #2: Type: text/html, Size: 2370 bytes --]
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi,<div class=""><br class=""></div><div class="">I appreciate this is a bit of a noob question not directly related to WireGuard and has been covered before, but I’m just hoping for a bit of advice and clarity. I’ve got a WireGuard tunnel up and running nicely between my MBP laptop and my Debian server at home and am hoping to use it as a VPN while travelling.&nbsp;</div><div class=""><br class=""></div><div class="">However I’ve found an issue when my laptop is behind work firewalls which block UDP, and not wanting to be encountering this issue overseas have been looking at tunnelling options. I have been using a SOCKS proxy generated with OpenSSH up until now, but it’s difficult to route all my laptop’s traffic via the proxy.</div><div class=""><br class=""></div><div class="">I’m aware of SSF (<a href="https://securesocketfunneling.github.io/ssf" class="">https://securesocketfunneling.github.io/ssf</a>) and udp2raw (<a href="https://github.com/wangyu-/udp2raw-tunnel/blob/master/doc/openvpn_guide.md" class="">https://github.com/wangyu-/udp2raw-tunnel/blob/master/doc/openvpn_guide.md</a>) which has been covered on this list before (<a href="https://lists.zx2c4.com/pipermail/wireguard/2018-May/002915.html" class="">https://lists.zx2c4.com/pipermail/wireguard/2018-May/002915.html</a>) but just wonder if anyone could comment on the specific security implication of using minimal or no security on the TCP tunnel mechanism (which seems poorly implemented by udp2raw particularly), and relying on the underlying WireGuard encryption? Or is this crazy? Is there any other satisfactory Unix-based mechanism to tunnel UDP over TCP?</div><div class=""><br class=""></div><div class="">I feel like if I run a WireGuard tunnel through an encrypted SSF tunnel I may as well just be using SSF by itself, however the ease of setting the default route on my laptop with wg-quick is a great feature and I am very impressed by the quality of WireGuard and the focus on security so would like to continue using it if possible.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class=""><br class=""></div><div class="">Ryan</div></body></html>